Dealing With Persistent Threats - A cloudy business (Part III)

In my last blog, I discussed some of the broader aspect of advanced persistent threats and I promised to touch on the subject of these threats when it comes to cloud computing.

When it comes to cloud computing, there are a lot of security fears flying around. Some of these fears are well founded while others are… well… amusing. Some aspects of cloud computing actually offer better protection than a private onsite deployment. For example, physical security within a cloud provider is often much greater than what one might find within a traditional enterprise server room. And IT administrators also receive much greater scrutiny during the vetting process before they ever get hired. In some cases, law enforcement organizations will actually make thorough background checks of prospective employees for cloud providers that deal with government departments.

However, cloud computing also exposes data to vectors of attack that would normally not be encountered within private deployments. Issues such as data remenance (i.e. what happens to a tenant’s data when they vacate), data backup and multi-tenancy now have to be considered, both from a compliance management stand point and from a security stand point. When a tenant leaves a cloud provider, how can they be guaranteed all of their data is destroyed? When the cloud provider makes backups, where are the backups stored?  Are the backups for a tenant all destroyed when they vacate? Then of course, there is the whole patriot act thing where the DOH or the FBI can order cloud providers to hand over data without the tenant’s knowledge.

If you plan on deploying into a public cloud, you need to start looking at encryption products. Not only that, but you need to begin looking at encryption products that give YOU control of the cryptographic keys. Issues such as data remenance, destruction of backups, etc… should be as easy to deal with as simply ‘pulling the keys’. From a compliance stand point, it makes things a lot more manageable and from a security stand point, it drastically reduces a lot of risk vectors. Obviously, encryption does not eliminate all risks, nothing does, but reducing the surface of attack is the best thing anyone can do. Even stuff like data confiscation because of the patriot act is a thing that tenants get to keep control off.

These were some of the core values that drove the development of AFORE’s CloudLink VSA and CloudLink CypherX. We wanted to give tenants control over their data, regardless of where the data was stored/handles.